Share this story

Intel has scaled back its plans to produce microcode updates for some of its older processors to address the "Spectre variant 2" attack. Core 2 processors are no longer scheduled to receive updates, and, while some first generation Core products have microcode updates available already, others have had their update cancelled.

The Spectre attack has two variants, numbered version 1 and version 2. Spectre version 1 attacks will need software fixes, and the nature of these attacks means that they may always need software fixes. Version 2 is amenable to hardware and firmware fixes.

Over the last few months, Intel has been delivering microcode updates to provide firmware fixes for many of its processors already in the field. The microcode updates give operating systems greater control over the branch prediction and speculative execution capabilities of the processor, protecting against Spectre version 2, albeit with some performance cost.

In March, Intel said that it was developing microcode fixes for processors as old as the 45nm Core 2 chips (built on the Penryn architecture) and the first-generation Core processors (built using the Westmere and Nehalem architectures). However, the company's latest update on the status of its microcode revisions indicates that it has dropped some of these plans.

None of the Core 2 processors will now receive a microcode update for Spectre. Some Westmere and some Nehalem processors have an update available, but those that don't will now never be updated.

The reason Intel has given for this decision is threefold:

Micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715).

Limited Commercially Available System Software support.

Based on customer inputs, most of these products are implemented as “closed systems” and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.

With this policy change, Intel has developed all the Spectre microcode fixes it's going to. The decision to update some first-generation Core processors but not others is still a little peculiar, as it's hard to imagine how these reasons might apply to some variants but not others. Owners of Sandy Bridge or newer systems can be confident of having updated microcode, but anyone with a first generation chip would be advised to read Intel's list of parts to figure out whether they'll be getting a fix or not.

These aren't 10-year-old chips that wore out, though. These are 10-year-old chips that have been defective from day 1.

I don't know if saying these have been "defective" since day 1 is really fair, since they worked safely and as advertised for 10ish years.

Intel appears to have taken some shortcuts that led to this situation, but it's hard to say whether a "reasonable" computer engineer could have really anticipated this type of attack. After all, it took 10 years for these problems to become known (at least publicly...)

Also, Spectre and Meltdown are local-only attacks. As long as you're not running untrusted code on these old machines (including JavaScript), then you're safe.

This is patently false. If one of your "trusted" applications has a security flaw, then someone can take advantage of your already weakened system. You are trusting Windows to not have any more flaws, not any other applications you are running. As soon as one of them has a flaw, the system gets compromised and if you give them the ability to capture cache contents, then you give them more access. Instead of just getting access to run a remote program, now you have the attacker having the ability to run programs as root. That is a huge difference.

If you had said the following, it would be accurate, "As long as you're not running untrusted code on these old machines (including JavaScript) and are not connected to the Internet, then you're reasonably safe"

My workplace still uses the older 2009/2010 MacBooks which have Core 2 Duos. You might ask how, but with 8GBs of RAM and an SSD, they work fantastic. They're even still supported by the latest macOS and receive regular software updates.

They're also very much exposed on the internet as they're used daily for Google Docs, YouTube, MineCraft EDU, etc.

In a world where consumers were protected from this kind of thing, Intel wouldn't be able to get away with this.

The chips they aren’t planning to update are almost a decade old.

They are mostly obsolete by modern standards. They probably only exist in very specific use cases any more and if a piece of hardware fails in them, they likely are un-repairable at this point.

If it is a security concern, perhaps it is time to upgrade to a $50 current gen pentium... or a little NUC...

Obsolete? A Q95xx would still perform admirably by today's standards. There's not really much reason to update from one if you don't perform cpu intensive tasks. It's even enough for gaming for the most part.

More importantly, on a pragmatic level, if Intel is refusing to patch this they would be leaving large numbers of computers vulnerable. While it does not allow remote execution, it could potentially be combined with software vulnerabilities and lead to yet another botnet.

Also, Spectre and Meltdown are local-only attacks. As long as you're not running untrusted code on these old machines (including JavaScript), then you're safe.

This is patently false. If one of your "trusted" applications has a security flaw, then someone can take advantage of your already weakened system. You are trusting Windows to not have any more flaws, not any other applications you are running. As soon as one of them has a flaw, the system gets compromised and if you give them the ability to capture cache contents, then you give them more access. Instead of just getting access to run a remote program, now you have the attacker having the ability to run programs as root. That is a huge difference.

If you had said the following, it would be accurate, "As long as you're not running untrusted code on these old machines (including JavaScript) and are not connected to the Internet, then you're reasonably safe"

If your system is already compromised then they don't even need these spectre or meltdown flaws to steal your data.

These aren't 10-year-old chips that wore out, though. These are 10-year-old chips that have been defective from day 1.

I don't know if saying these have been "defective" since day 1 is really fair, since they worked safely and as advertised for 10ish years.

Intel appears to have taken some shortcuts that led to this situation, but it's hard to say whether a "reasonable" computer engineer could have really anticipated this type of attack. After all, it took 10 years for these problems to become known (at least publicly...)

Oh no, they were defective from day one. Read what Linus Torvalds and other Linux developers write: they are very much pissed by Intel, and what pisses them off the most is the fact this was textbook stuff. The side channels from branch predictions and cache attacks, this all had been researched theoretically, and very well known in the industry. True, there were a lack of practical exploits, but everybody agreed what are the dangers, and how a proper processor design would mitigate this. It's not possible to believe that Intel's engineers were not aware of this. Intel just chose to push defective processors, because they would run faster, and have competitive advantage.

In other words, "Meltdown" is a complete Intel's responsibility. "Spectre" is more of a mixed bag, but a lot could have been done to make Spectre -like attacks much harder to implement.

If you want Intel engineers spending their workdays trying to figure out how to fix a very tricky, very low-level exploit in hardware they haven't studied in at least five years, fine, but then you're going to be pretty hypocritical if you complain about how slowly Intel is rolling out newer, faster hardware.

You make it sound like Intel's R&D spending is limited by their profit and that they're stretching their finances to the limit. Look at their income statement, you might be surprised.

Also, who the hell cares about the welfare of billion dollar corporations with little foreign competition? They can fix microcode and work on future processors at the same time. Much of the hurdles are related to process and materials anyway, and last I checked solid state physicists, material scientists, and process engineers weren't working on microcode.

The confusion about some first gens having patches is that both 45 and 32nm Nehalem/Westmeres got lumped into one generation. Later on Westmere would've been considered a new gen... and even later a new major (X0) stepping would be yet another generation.

In all fairness those same chips are at least as half as fast as what you can but now for the same price. With adjustments for inflation of course. Why drop $500+ on a new computer when grabbing a $60 ssd does more to speed the system up.

Oh no, they were defective from day one. Read what Linus Torvalds and other Linux developers write: they are very much pissed by Intel, and what pisses them off the most is the fact this was textbook stuff. The side channels from branch predictions and cache attacks, this all had been researched theoretically, and very well known in the industry.

That claim is not well supported by the literature.

This is probably why Meltdown isn't just an Intel problem; it's also an Apple and ARM problem. Spectre adds AMD to that list, too.